GHSA-r2jq-4h3x-rfj6

Source

https://github.com/advisories/GHSA-r2jq-4h3x-rfj6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r2jq-4h3x-rfj6/GHSA-r2jq-4h3x-rfj6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r2jq-4h3x-rfj6

Aliases

CVE-2026-7223

Published

2026-04-28T06:30:29Z

Modified

2026-05-06T20:04:33.900298Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

BigSweetPotatoStudio HyperChat has a Server-Side Request Forgery issue

Details

A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of the component AI Proxy Middleware. Such manipulation of the argument baseurl leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T19:44:30Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-04-28T04:16:29Z"
}

References

Affected packages

npm / @dadigua/hyperchat

Package

Name: @dadigua/hyperchat; View open source insights on deps.dev
Purl: pkg:npm/%40dadigua/hyperchat

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

2.0.0-alpha.63

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-r2jq-4h3x-rfj6/GHSA-r2jq-4h3x-rfj6.json"